Paul,
By default the ASA will block traceroute. traceroute is sent out with ICMP type 8 but will respond back with ICMP type 3 and 11. Test by sending a traceroute and see the traffic drop. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: <mailto:[email protected]> [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Paul Stewart Sent: Monday, September 07, 2009 1:50 PM To: [email protected] Subject: [OSL | CCIE_Security] Traceroute through ASA By default the ASA is transparent to a traceroute due to the fact that it does not decrement the TTL. In Vol 2, Lab 11 section 1.3-4 it specifies that inside hosts should be able to "successfully" traceroute to devices on the drawing. What are the thoughts on using the method below to make the ASA visible? In my opinion, it is a gray area, but a successful traceroute should show the layer 3 devices. policy-map global_policy class class-default set connection decrement-ttl
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
